Privacy was one of the issues that received wide regulatory attention in 2018 and it will continue to be among trending issues in 2019 given rising concerns over data security. In 2018, the General Data Protection Regulation (GDPR) came into force in May 2018, prohibiting the transfer of European Union’s (EU) residents’ data out of the region unless the recipient countries have received adequacy decision from the EU. Without an adequacy decision, firms will need to utilise standard contractual clauses or binding corporate rules.
The GDPR is viewed as the “strictest” data privacy law to date, and countries started to grapple with ways to align their own data protection laws. Many countries in the Asia Pacific started to tweak, implement or develop their own privacy laws. Thus far, the only Asian market that the EU has adopted an adequacy decision for is Japan. Its close counterpart, South Korea, is still in discussion stages even though it started the negotiation process in the same year as Japan in 2017.
Other markets are still far behind. After a report commissioned by the EU in 2010 concluded that India did not provide adequate protection based on its existing laws, the country is finalising a standalone data protection bill. Similarly, Thailand and Indonesia are targeting their draft personal data protection bills to be passed by this year.
Indonesia started deliberating a draft personal data protection bill since 2015 but it keeps getting pushed back due to lack of prioritisation. It remains to be seen if the push from the Communication and Information Ministry to get the bill passed before the April presidential and legislative elections will bear fruit.
A privacy law is pertinent to Indonesia if it wants to continue attracting foreign investments and being the breeding grown for homegrown unicorns. Every new technology application will involve personal data whether it is artificial intelligence, Internet of Things, big data, and others. A privacy law developed based on international or regional standards such as the privacy principles of the Organisation for Economic Cooperation and Development (OECD) or the Asia-Pacific Economic Cooperation (APEC) Privacy Framework can help create certainty and an enabling environment for businesses, while offering adequate protection for a consumer’s personal data.
There are, however, constituencies within Indonesia that view the draft personal data protection bill as a tool to “level” the playing field and they have lobbied hard to get the bill to impose data localisation rules on grounds that it will better “protect” the personal data of Indonesian residents. This is a flawed argument as the protection principle under privacy frameworks are tech-neutral. Moreover, international and regional privacy frameworks provide avenues for data transfer as long as adequate protection measures are in place.
With rampant privacy breaches around the world, Indonesia’s data protection bill should come sooner than later. The longer it takes for the bill to be passed, the more vulnerable consumers are to data breaches. It will also make it tougher for Indonesian businesses to conduct cross-border business transactions without a privacy law that is aligned with the international markets.
A privacy law, even when it has been passed, may take years before it reaches maturity in terms of getting businesses to comply with the rules, raising public awareness, or introducing guidelines to complement the law in areas where there might be gaps, especially when new technology applications are introduced at a rapid cycle. For instance, Singapore passed its Personal Data Protection Act in 2012, but it wasn’t implemented fully until 2014 to give companies time to develop internal policies and comply with the law. They also only embarked on enforcement at a later stage once companies became more familiar with the rules.
In Indonesia, where small and medium enterprises form the bulk of businesses, they will be the group that will need the most hand-holding. The government will need to consider how SMEs can develop capacity in this area and how they would be able to manage with the relevant compliance costs.
At the end of the day, while the concerns of different constituencies are considered, policymakers should remember that a well-measured data protection act is key to protecting consumers, and stalling it will not be beneficial to anyone.
Author: Seha Yatim, Policy Analyst, Access Partnership
This article was originally published at The Jakarta Post on 21 February 2019.